24h-payday

Archive for the ‘Twitter’ Category

Twitter Chat: Top 10 Things You Should Know About Predictive Coding

Monday, September 17th, 2012

Predictive coding is commonly viewed as a promising technology with great potential to ease the time and monetary burden of the eDiscovery process. As organizations start to implement predictive coding more frequently, many are wondering how best to introduce it into their litigation support planning.

Many companies have been in legal situations where they wished for a crystal ball to show exactly what they would need to ensure litigation ran smoothly. While this of course isn’t possible, there is a way for organizations to efficiently identify and review the right information needed for litigation during eDiscovery, and that is through predictive coding technology.

This Thursday, join Symantec eDiscovery experts on Twitter to discuss “The Top 10 Things You Should Know About Predictive Coding.”  The Twitter Chat will take place on Thursday, September 20th at 10:00 a.m. PT.  Simply follow the hashtag #IGChat to join in the discussion. We look forward to hearing your feedback on predictive coding – has your organization faced any challenges? Does predictive coding work for your organization? Are you still facing challenges working out clear, defensible predictive coding workflow?

Experts on the chat will include Symantec eDiscovery Counsel Matt Nelson, who recently wrote a book entitled Predictive Coding for Dummies. In the book, Matt shares benefits of predictive coding and a list of 10 important things everyone should know about the technology. Matt will be sharing some excerpts from his book, and our other eDiscovery experts will be available to answer all of your predictive coding questions.

Twitter Chat: The Top 10 Things You Should Know About Predictive Coding (#IGChat)

Date: Thursday, September 20, 2012

Time: 10 a.m. PT / 1 p.m. ET

Length: 1 hour

Where: Twitter – follow the hashtag #IGChat

Twitter Contempt Sanctions Increase Need for Social Media Governance Plan

Thursday, September 13th, 2012

The headline-grabbing news this week regarding Twitter facing possible contempt sanctions is an important reminder that organizations should consider developing a strategy for addressing social media governance. In criminal proceedings against protesters involved in the Occupy Wall Street movement, a New York state court ordered Twitter several weeks ago to turn over various tweets that a protester deleted from his twitter feed relating to the movement’s blocking of the Brooklyn Bridge last year. Twitter has delayed compliance with that order, which has invited the court’s wrath: “I can’t put Twitter or the little blue bird in jail, so the only way to punish is monetarily.” The court is now threatening Twitter with a monetary contempt sanction based on “the company’s earnings statements for the past two quarters.”

At first blush, the proceeding involving Twitter may not seem paradigmatic for organizations. While most organizations do not engage in civil disobedience and typically stay clear of potential criminal actions, the conduct of the protester in unilaterally deleting his tweets raises the question of whether organizations have developed an effective policy to retain and properly supervise communications made through social networking sites.

Organizations in various industry verticals need to ensure that certain messages communicated through social media sites are maintained for legal or regulatory purposes. For example, financial services companies must retain communications with investors and other records that relate to their “business as such” – including those made through social networking sites – for at least three years under section 17a-4(b) of the Securities Exchange Act of 1934. Though this provision is fairly straightforward, it has troubled regulated companies for years. Indeed, almost two-thirds of surveyed asset managers reported that “regulatory recordkeeping” remains their greatest challenge with respect to social media.

Supervision is another troubling issue. With the proliferation of smartphones, burgeoning “bring your own device” (BYOD) policies and the demands of a 24-hour workday, supervision cannot be boiled down to a simple protocol of “I’ll review your messages before you hit send.” Yet supervision is necessary, particularly given the consequences for rogue communications including litigation costs, lost revenues, reduced stock price and damage to the company brand.

Though there are no silver bullets to ensure perfection regarding these governance challenges, organizations can follow some best practices to develop an effective social media governance policy. The first is that companies should prepare a global plan for how they will engage in social media marketing. This initial step is particularly important for groups that are just now exploring the use of social media to communicate with third parties. Having a plan in place that maps out a contact and communication strategy, provides for supervision of company representatives and accounts for compliance with regulatory requirements is essential.

The next step involves educating and training employees regarding the company’s social media policy. This should include instructions regarding what content may be posted to social networking sites and the internal process for doing so. Policies that describe the consequences for deviating from the social media plan should also be clearly delineated. Those policies should detail the legal repercussions – civil and criminal – for both the employee and the organization for social media missteps.

Third, organizations can employ technology to ensure compliance with their social media plan. This may include archiving software and other technology that both retains and enables a cost-effective supervisory review of content. Electronic discovery tools that enable legal holds and efficiently retrieve archived social media content are also useful in developing an efficient and cost-effective response to legal and regulatory requests.

By following these steps and other best practices, organizations will likely be on the way to establishing the foundation of an effective social media governance plan.

Twitter Chat: How to Speak Legalese

Friday, July 20th, 2012
EDITOR’S NOTE: Due to the July 26 Twitter outage, the #IGChat has been postponed to August 2. This post has been updated to reflect new chat details.

Do you know what “subpoena duces tecum” means? What about spoliation? Unless you’re on the legal side of a business, you probably haven’t had to work these terms into your daily conversations. However, if you’re managing an IT team, these are just a couple of the legal terms you’ll want to understand when, sooner or later, your team is tasked with an eDiscovery request.

Like any good relationship, communication is key. In business relationships, IT and legal must speak one another’s language in order to effectively work together. Though the two departments may come from two different worlds and knowledge backgrounds, they quickly become closely tied when an eDiscovery matter hits the fan. And, when it does, IT needs to know legal terms and vice versa to ensure, for example, that data is properly archived and efficiently collected as needed.

Next Thursday, join Symantec eDiscovery experts to discuss this topic – and break down a slew of jargon – on our upcoming Twitter Chat: “How to Speak Legalese.” The chat will take place on Thursday, July 26 at 10am PT.  Simply follow the hashtag #IGChat to join in the discussion. We look forward to hearing your feedback on communication challenges you’ve faced, questions you’ve encountered, and how IT and Legal can learn each other’s language to work together more effectively.

Twitter Chat: How to Speak Legalese (#IGChat)

Date: Thursday, August 2, 2012

Time: 10 a.m. PT / 1 p.m. ET

Length: 1 hour

Where: Twitter – follow the hashtag #IGChat

#InfoGov Twitter Chat Hones in on Starting Places and Best Practices

Tuesday, July 3rd, 2012

Unless you’re an octogenarian living in rural Uzbekistan[i] you’ve likely seen the meteoric rise of social media over the last decade. Even beyond hyper-texting teens, businesses too are taking advantage of this relatively new form function to engage with their more technically savvy customers. Recently, Symantec held its first “Twitter Chat” on the topic of information governance (fondly referred to on Twitter as #InfoGov). For those not familiar with the concept, a Twitter Chat is a virtual discussion held on Twitter using a specific hashtag – in this case #IGChat. At a set date and time, parties interested in the topic log into Twitter and start participating in the fireworks on the designated hashtag.

“Fireworks” may be a bit overstated, but given that the moderators (eDiscovery Counsel at Symantec) and participants were limited to 140 characters, the “conversation” was certainly frenetic. Despite the fast pace, one benefit of a Twitter Chat is that you can communicate with shortened web links, as a way to share and discuss content beyond the severely limited word count. During this somewhat staccato discussion, we found the conversation to take some interesting twists and turns, which I thought I’d excerpt (and expound upon[ii]) in this blog.

Whether in a Twitter Chat or otherwise, once the discussion of information governance begins everyone wants to know where to start. The #IGChat was no different.

  • Where to begin?  While there wasn’t consensus per se on a good starting place, one cogent remark out of the blocks was: “The best way to start is to come up with an agreed upon definition — Gartner’s is here t.co/HtGTWN2g.” While the Gartner definition is a good starting place, there are others out there that are more concise. The eDiscovery Journal Group has a good one as well:  “Information Governance is a comprehensive program of controls, processes, and technologies designed to help organizations maximize the value of information assets while minimizing associated risks and costs.”  Regardless of the precise definition, it’s definitely worth the cycles to rally around a set construct that works for your organization.
  • Who’s on board?  The next topic centered around trying to find the right folks organizationally to participate in the information governance initiative. InfoGovlawyer chimed in: “Seems to me like key #infogov players should include IT, Compliance, Legal, Security reps.” Then, PhilipFavro suggested that the “[r]ight team would likely include IT, legal, records managers, pertinent business units and compliance.” Similar to the previous question, at this stage in the information governance maturation process, there isn’t a single, right answer. More importantly, the team needs to have stakeholders from at least Legal and IT, while bringing in participants from other affected constituencies (Infosec, Records, Risk, Compliance, etc.) – basically, anyone interested in maximizing the value of information while reducing the associated risks.
  • Where’s the ROI?  McManusNYLJ queried: “Do you think #eDiscovery, #archiving and compliance-related technology provide ample ROI? Why or why not?”  Here, the comments came in fast and furious. One participant pointed out that case law can be helpful in showing the risk reduction:  “Great case showing the value of an upstream archive – Danny Lynn t.co/dcReu4Qg.” AlliWalt chimed in: “Yes, one event can set your company back millions…just look at the Dupont v. Kolon case… ROI is very real.” Another noted that “Orgs that take a proactive approach to #eDiscovery requests report a 64% faster response time, 2.3x higher success rate.” And, “these same orgs were 78% less likely to be sanctioned and 47% less likely to be legally compromised t.co/5dLRUyq6.” ROI for information governance seemed to be a nut that can be cracked any number of ways, ranging from risk reduction (via sanctions and adverse legal decisions) to better preparation. Here too, an organization’s particular sensitivities should come into play since all entities won’t have the same concerns about risk reduction, for example.
  • Getting Granular. Pegduncan, an active subject matter expert on the topic, noted that showing ROI was the right idea, but not always easy to demonstrate: “But you have to get their attention. Hard to do when IT is facing funding challenges.” This is when granular eDiscovery costs were mentioned: “EDD costs $3 -18k per gig (Rand survey) and should wake up most – adds up w/ large orgs having 147 matters at once.” Peg wasn’t that easily convinced: “Agreed that EDD costs are part of biz case, but .. it’s the problem of discretionary vs non-discretionary spending.”
  • Tools Play a Role. One participant asked: “what about tools for e-mail thread analysis, de-duplication, near de-duplication – are these applicable to #infogov?” A participant noted that “in the future we will see tools like #DLP and #predictivecoding used for #infogov auto-classification – more on DLP here: t.co/ktDl5ULe.” Pegduncan chimed in that “DLP=Data Loss Prevention. Link to Clearwell’s post on Auto-Classification & DLP t.co/ITMByhbj.”

With a concept as broad and complex as information governance, it’s truly amazing that a cogent “conversation” can take place in a series of 140 character tweets. As the Twitter Chat demonstrates, the information governance concept continues to evolve and is doing so through discussions like this one via a social media platform. As with many of the key information governance themes (Ownership, ROI, Definition, etc.) there isn’t a right answer at this stage, but that isn’t an excuse for not asking the critical questions. “Sooner started, sooner finished” is a motto that will serve many organizations well in these exciting times. And, for folks who say they can’t spare the time, they’d be amazed what they can learn in 140 characters.

Mark your calendars and track your Twitter hashtags now: The next #IGChat will be held on July 26 @ 10am PT.



[i] I’ve never been to rural Uzbekistan, but it just sounded remote.  So, my apologies if there’s a world class internet infrastructure there where the denizens tweet prolifically. Given that’s it’s one (of two) double landlocked countries in the world it seemed like an easy target. Uzbeks please feel free to use the comment field and set me straight.

[ii] Minor edits were made to select tweets, but generally the shortened Twitter grammar wasn’t changed.

Policy vs. Privacy: Striking the Right Balance Between Organization Interests and Employee Privacy

Friday, March 9th, 2012

The lines between professional and personal lives are being further blurred every day. With the proliferation of smart phones, the growth of the virtual workplace and the demands of business extending into all hours of the day, employees now routinely mix business with pleasure by commingling such matters on their work and personal devices. This trend is sure to increase, particularly with “bring your own device” policies now finding their way into companies.

This sometimes awkward marriage of personal and professional issues raises the critical question of how organizations can respect the privacy rights of their employees while also protecting their trade secrets and other confidential/proprietary information. The ability to properly navigate these murky waters under the broader umbrella of information governance may be the difference between a successful business and a litigation-riddled enterprise.

Take, for instance, a recent lawsuit that claimed the Food and Drug Administration (FDA) unlawfully spied on the personal email accounts of nine of its employee scientists and doctors. In that litigation, the FDA is alleged to have monitored email messages those employees sent to Congress and the Office of Inspector of General for the Department of Health & Human Services. In the emails at issue, the scientists and doctors scrutinized the effectiveness of certain medical devices the FDA was about to approve for use on patients.

While the FDA’s email policy clearly delineates that employee communications made from government devices may be monitored or recorded, the FDA may have intercepted employees’ user IDs and passwords and accessed messages they sent from their home computers and personal smart phones. Not only would such conduct potentially violate the Electronic Communications Privacy Act (ECPA), it might also conceivably run afoul of the Whistleblower Protection Act.

The FDA spying allegations have also resulted in a congressional inquiry into the email monitoring policies of all federal agencies throughout the executive branch. Congress is now requesting that the Office of Management and Budget (OMB) produce the following information about agency email monitoring policies:

  • Whether a policy distinguishes between work and personal email
  • Whether user IDs and passwords can be obtained for personal email accounts and, if so, whether safeguards are deployed to prevent misappropriation
  • Whether a policy defines what constitutes protected whistleblower communications

The congressional inquiry surrounding agency email practices provides a valuable measuring stick for how private sector organizations are addressing related issues. For example, does an organization have an acceptable use policy that addresses employee privacy rights? Having such a policy in place is particularly critical given that employees use company-issued smart phones to send out work emails, take photographs and post content to personal social networking pages. If such a policy exists now, query whether it is enforced, what the mechanisms exist for doing so and whether or not such enforcement is transparent to the employees.  Compliance is just as important as issuing the policy in the first place.

Another critical inquiry is whether an organization has an audit/oversight process to prevent the type of abuses that allegedly occurred at the FDA. Such a process is essential for organizations on multiple levels. First, as Congress made clear in its letter to the OMB, monitoring communications that employees make from their personal devices violates the ECPA. It could also interfere with internal company whistleblower processes. And to the extent adverse employment action is taken against an employee-turned-whistleblower, the organization could be liable for violations of the False Claims Act or the Dodd-Frank Wall Street Reform and Consumer Protection Act.

A related aspect to these issues concerns whether an organization can obtain work communications sent from employee personal devices. For example, financial services companies must typically retain communications with investors for at least three years. Has the organization addressed this document retention issue while respecting employee privacy rights in their own smart phones and tablet computers?

If an organization does not have such policies or protections in place, it should not panic and rush off to get policies drafted without thinking ahead. Instead, it should address these issues through an intelligent information governance plan. Such a plan will typically address issues surrounding information security, employee privacy, data retention and eDiscovery within the larger context of industry regulations, business demands and employee productivity. That plan will also include budget allocations to support the acquisition and deployment of technology tools to support written policies on these and other issues.  Addressed in this context, organizations will more likely strike the right balance between their interests and their employees’ privacy and thereby avoid a host of unpleasant outcomes.

LTNY Wrap-Up – What Did We Learn About eDiscovery?

Friday, February 10th, 2012

Now that that dust has settled, the folks who attended LegalTech New York 2012 can try to get to the mountain of emails that accumulated during the event that was LegalTech. Fortunately, there was no ice storm this year, and for the most part, people seemed to heed my “what not to do at LTNY” list. I even found the Starbucks across the street more crowded than the one in the hotel. There was some alcohol-induced hooliganism at a vendor’s party, but most of the other social mixers seemed uniformly tame.

Part of Dan Patrick’s syndicated radio show features a “What Did We Learn Today?” segment, and that inquiry seems fitting for this year’s LegalTech.

  • First of all, the prognostications about buzzwords were spot on, with no shortage of cycles spent on predictive coding (aka Technology Assisted Review). The general session on Monday, hosted by Symantec, had close to a thousand attendees on the edge of their seats to hear Judge Peck, Maura Grossman and Ralph Losey wax eloquently about the ongoing man versus machine debate. Judge Peck uttered a number of quotable sound bites, including the quote of the day: “Keyword searching is absolutely terrible, in terms of statistical responsiveness.” Stay tuned for a longer post with more comments from the General session.
  • Ralph Losey went one step further when commenting on keyword search, stating: “It doesn’t work,… I hope it’s been discredited.” A few have commented that this lambasting may have gone too far, and I’d tend to agree.  It’s not that keyword search is horrific per se. It’s just that its efficacy is limited and the hubris of the average user, who thinks eDiscovery search is like Google search, is where the real trouble lies. It’s important to keep in mind that all these eDiscovery applications are just like tools in the practitioners’ toolbox and they need to be deployed for the right task. Otherwise, the old saw (pun intended) that “when you’re a hammer everything looks like a nail” will inevitably come true.
  • This year’s show also finally put a nail in the coffin of the human review process as the eDiscovery gold standard. That doesn’t mean that attorneys everywhere will abandon the linear review process any time soon, but hopefully it’s becoming increasingly clear that the “evil we know” isn’t very accurate (on top of being very expensive). If that deadly combination doesn’t get folks experimenting with technology assisted review, I don’t know what will.
  • Information governance was also a hot topic, only paling in comparison to Predictive Coding. A survey Symantec conducted at the show indicated that this topic is gaining momentum, but still has a ways to go in terms of action. While 73% of respondents believe an integrated information governance strategy is critical to reducing information risk, only 19% have implemented a system to help them with the problem. This gap presumably indicates a ton of upside for vendors who have a good, attainable information governance solution set.
  • The Hilton still leaves much to be desired as a host location. As they say, familiarity breeds contempt, and for those who’ve notched more than a handful of LegalTech shows, the venue can feel a bit like the movie Groundhog Day, but without Bill Murray. Speculation continues to run rampant about a move to the Javits Center, but the show would likely need to expand pretty significantly before ALM would make the move. And, if there ever was a change, people would assuredly think back with nostalgia on the good old days at the Hilton.
  • Despite the bright lights and elevator advertisement trauma, the mood seemed pretty ebullient, with tons of partnerships, product announcements and consolidation. This positive vibe was a nice change after the last two years when there was still a dark cloud looming over the industry and economy in general.
  • Finally, this year’s show also seemed to embrace social media in a way that it hadn’t done so in years past. Yes, all the social media vehicles were around in years past, but this year many of the vendors’ campaigns seemed to be much more integrated. It was funny to see even the most technically resistant lawyers log in to Twitter (for the first time) to post comments about the show as a way to win premium vendor swag. Next year, I’m sure we’ll see an even more pervasive social media influence, which is a bit ironic given the eDiscovery challenges associated with collecting and reviewing social media content.

ECPA, 4th Amendment, and FOIA: A Trident of Laws Collide on the 25th Birthday of the Electronic Communications Privacy Act

Wednesday, November 2nd, 2011

Google has publicly released the number of U.S. Government requests it had for email productions in the six months preceding December 31, 2009.  They have had to comply with 94% of these 4,601 requests.  Granted, many of these requests were search warrants or subpoenas, but many were not.  Now take 4,601 and multiply it by at least 3 for other social media sources for Facebook, LinkedIn, and Twitter.  The number is big – and so is the concern over how this information is being obtained.

What has becoming increasingly common (and alarming at the same time) is the way this electronically stored information (ESI) is being obtained from third party service providers by the U.S. Government. Some of these requests were actually secret court orders; it is unclear how many of the matters were criminal or civil.  Many of these service providers (Sonic, Google, Microsoft, etc.) are challenging these requests and most often losing. They are losing on two fronts:  1) they are not allowed to inform the data owner about the requests, nor the subsequent production of the emails, and 2) they are forced to actually produce the information.  For example, the U.S. Government obtained one of these secret orders to get WikiLeaks volunteer Jacob Applebaum’s email contact list of the people he has corresponded with over the past two years.  Both Google and Sonic.net were ordered to turn over information and Sonic challenged  the order and lost.  This has forced technology companies to band together to lobby Congress to require search warrants in digital investigations.

There are three primary laws operating at this pivotal intersection that affect the discovery of ESI that resides with third party service providers, and these laws are in a car wreck with no ambulance in sight.  First, there is the antiquated Federal Law, the Electronic Communications Privacy Act of 1986, over which there is much debate at present.  To put the datedness of the ECPA in perspective, it was written before the internet.  This law is the basis that allows the government to secretly obtain information from email and cell phones without a search warrant. Not having a search warrant is in direct conflict with the U.S. Constitution’s 4th Amendment protection against unreasonable searches and seizures.  In the secret order scenario, the creator of data is denied their right to know about the search and seizure (as they would if their homes were being searched, for example) as it is transpiring with the third party.

Where a secret order has been issued and emails have been obtained from a third party service provider, we see the courts treating email much differently than traditional mail and telephone lines.  However, the intent of the law was to give electronic communications the same protections that mail and phone calls have enjoyed for some time. Understandably, the law did not anticipate the advent of the technology we have today.  This is the first collision, and the reason the wheels have gone off the car, since the standard under the ECPA sets a lower bar for email than that of the former two modes of communication.  The government must only show “reasonable grounds” that the records would be “relevant and material” to an investigation, criminal or civil, compared to the other higher standard.

The third law in this collision is the Freedom of Information Act (FOIA).  While certain exceptions and allowances are made for national security and in criminal investigations, these secret orders are not able to be seen by the person whose information has been requested.  Additionally, the public wants to see these requests and these orders, especially if they have no chance of fighting them.  What remains to be seen is what our rights are under FOIA to see these orders, either as a party or a non-related individual to the investigation as a matter of public record.  U.S. Senator Patrick Leahy, (D-VT), the author of the ECPA, acknowledged in no uncertain terms that the law is “significantly outdated and outpaced by rapid changes in technology.”   He has since introduced a bill with many changes that third party service providers have lobbied for to bring the ECPA up to date. The irony of this situation is that the law was intended to provide the same protections for all modes of communication, but in fact makes it easier for the government to request information without the author even knowing.

This is one of the most important issues now facing individuals and the government in the discovery of ESI during investigations and litigation.  A third party service provider of cloud offerings is really no different than a utility company, and the same paradigm can exist as it does with the U.S. Postal Service and the telephone companies when looking to discover this information under the Fourth Amendment, where a warrant is required. The law looks to be changing to reflect this and FOIA should allow the public to access these orders.  Amendments to the Act have been introduced by Senator Leahy, and we can look forward to the common sense changes he proposes that are necessary.  The American people don’t like secrets. Lawyers, get ready to embrace the revisions into your practice by reading up on the changes as they will impact your practices significantly in the near future.

Social Media and eDiscovery: New Kid on the Block, but the Same Story

Friday, September 30th, 2011

In the eDiscovery universe, hot trends and evolving technologies tend to capture the attention of the legal community.  Discoverable data sources have been the focus in the courtroom for quite some time, and just like the “popular kids” from high school, email has held the crown of eDiscovery darling.  Not surprisingly, the more time end-users spend in a specific medium (on Facebook, for example), the more likely data will be created – and as that data multiplies, it has the potential to become compelling in discovery.  It seems that many U.S. organizations are electing to allow social media use at work and for work, rather than blocking access.  For obvious reasons, granting this access is culturally desirable, but from an eDiscovery perspective social media use introduces new complications.  However, don’t be mystified.  There is nothing that new here.

Recently, Symantec issued the findings of its second annual Information Retention and eDiscovery Survey, which examined how enterprises are coping with the tsunami of electronically stored information.  Having lost some popularity, email came in third place (58%) to files/documents (67%) and database/application data (61%) when respondents were asked what type of documents were most commonly part of an eDiscovery request.  The new kid on the block for data sources is social media, reported by 41% of those surveyed.  Social media is in essence no different than any other data type in the eDiscovery process, it’s just the newest.  Said another way; social media is the new email.

Of course, it’s no longer news to proclaim that communications from social networking sites are discoverable.  What is newsworthy is the question of how to effectively store, manage and discover these communications which come in such varying forms, making the logistics of doing so for social media different than for traditional mediums.  Like email, social media is used by everyone (ubiquitous), is viral (fast), has mixed uses (professional and personal) and there is a lot of it (high volume).  Unlike email, social media comes in many different forms (Facebook, LinkedIn, Twitter, etc.), is not controlled within an organization’s firewalls (custody, possession and control issues), and has more complex requirements within the information governance lifecycle (technology is needed to ingest social media into an archive).

The two main areas to examine in relation to social media use and an organization’s policies are: 1) the legal issues that apply specifically to the organization, and 2) the logistical and technical requirements for preservation and collection.  Essentially, what is the organization’s policy surrounding social media use, and how can the information be accessed if need be? Luckily, technology exists that is nimble enough to be able to ingest social media and archive it in accordance with an organization’s policy, should one exist.  Organizations that have recognized social media as the newest kid on the block have, ideally: developed a social media policy, purchased (or deployed) collection and retention technology, and instituted training for their employees.  They have also integrated social media into their information governance strategy and document retention policy. Remember, not all organizations will have to archive social media, but all should address social media with a policy and training.

Other organizations have not accepted social media as part of the evolutionary process of eDiscovery.  They proceed at their own peril – as did the organizations that did not control their email some ten years ago!

These organizations will be in crisis when they need to collect social media for litigation and will most likely have a large lesson in damage control, as well as an equally large bill.  They will be uneducated, ill-prepared and overwhelmed about how to discover social media.  Without a policy, they will have to over collect by default, which will drive up the costs for collection and possibly for downstream review.  Given that the aforementioned survey found nearly half of the respondents did not have an information retention policy in place, and of this group, only 30% were discussing how to do so, it is likely that many of these organizations do not yet have a social media policy either.

With this background in mind, organizations should evaluate which laws and regulations apply to their organization, develop a policy and train their employees on that policy.  Plus ça change, plus c’est la même chose.

For more information about how IT and Legal can manage the impact of social media on their organization and to learn how archiving social media can be accomplished, please join this webcast from Symantec.

Email Isn’t eDiscovery Top Dog Any Longer, Recent Survey Finds

Sunday, September 18th, 2011

Symantec today issued the findings of its second annual Information Retention and eDiscovery Survey, which examined how enterprises are coping with the tsunami of electronically stored information (ESI) that we see expanding by the minute.  Perhaps counter intuitively, the survey of legal and IT personnel at 2,000 enterprises found that email is no longer the primary source of ESI companies produced in response to eDiscovery requests.  In fact, email came in third place (58%) to files/documents (67%) and database/application data (61%).  Marking a departure from the landscape as recently as a few years ago, the survey reveals that email does not axiomatically equal eDiscovery any longer.

Some may react incredulously to these results. For instance, noted eDiscovery expert Ralph Losey continues to stress the paramount importance of email: “In the world of employment litigation it is all about email and attachments and other informal communications. That is not to say databases aren’t also sometimes important. They can be, especially in class actions. But, the focus of eDiscovery remains squarely on email.”   While it’s hard to argue with Ralph, the real takeaway should be less about the relative descent of email’s importance, and more about the ascendency of other data types (including social media), which now have an unquestioned seat at the table.

The primary ramification is that organizations need to prepare for eDiscovery and governmental inquires by casting a wider ESI net, including social media, cloud data, instant messaging and structured data systems.  Forward-thinking companies should map out where all ESI resides company-wide so that these important sources do not go unrecognized.  Once these sources of potentially responsive ESI are accounted for, the right eDiscovery tools need to be deployed so that these disparate types of ESI can be defensibly collected and processed for review in a singular, efficient and auditable environment.

The survey also found that companies which employ best practices such as implementing information retention plans, automating the enforcement of legal holds and leveraging archiving tools instead of relying on backups, fare dramatically better when it comes to responding to eDiscovery requests. Companies in the survey with good information governance hygiene were:

  • 81% more likely to have a formal retention plan in place
  • 63% more likely to automate legal holds
  • 50% more likely to use a formal archiving tool

These top-tier companies in the survey were able to respond much faster and more successfully to an eDiscovery request, often suffering fewer negative consequences:

  • 78% less likely to be sanctioned
  • 47% less likely to lead to a compromised legal position
  • 45% less likely to disclose too much information

This last bullet (disclosing too much information) has a number of negative ramifications beyond just giving the opposition more ammo than is strictly necessary.  Since much of the eDiscovery process is volume-based, particularly the eyes-on review component, every extra gigabyte of produced information costs the organization in both seen and unseen ways.  Some have estimated that it costs between $3-5 a document for manual attorney review – and at 50,000 pages to a gigabyte, these data-related expenses can really add up quickly.

On the other side of the coin, there were those companies with bad information governance hygiene.  While this isn’t terribly surprising, it is shocking to see how many entities fail to connect the dots between information governance and risk reduction.  Despite the numerous risks, the survey found nearly half of the respondents did not have an information retention plan in place, and of this group, only 30% were discussing how to do so.  Most shockingly, 14% appear to be ostriches with their heads in the sand and have no plans to implement any retention plan whatsoever.  When asked why folks weren’t taking action, respondents indicated lack of need (41%), too costly (38%), nobody has been chartered with that responsibility (27%), don’t have time (26%) and lack of expertise (21%) as top reasons.  While I get the cost issue, particularly in these tough economic times, it’s bewildering to think that so many companies feel immune from the requirements of having even a basic retention plan.

As the saying goes, “You don’t need to be a weatherman to tell which way the wind blows.”  And, the winds of change are upon us.  Treating eDiscovery as a repeatable business process isn’t a Herculean task, but it is one that cannot be accomplished without good information governance hygiene and the profound recognition that email isn’t the only game in town.

For more information regarding good records management hygiene, check out this informative video blog and Contoural article.

Two Surveys Confirm Social Media in eDiscovery Has Reached Tipping Point

Tuesday, August 2nd, 2011

As the saying goes, “I’ve seen the future and the future is now.”  This was my first reaction after analyzing two recent surveys regarding social media and eDiscovery.  The first one was from Clearwell (now a part of Symantec) and the Enterprise Strategy Group, entitled: “Trends in E-Discovery: Cloud and Collection.”  Beyond examining cloud issues it also queried respondents about the growing impact of social media on electronic discovery.  While many of the responses struck me as intuitive, I was taken by the fact that we seem to have crossed over the chasm of social media to the point that this content simply cannot be ignored any longer.  For ages, and perhaps some still today, email was the 800 pound gorilla in the eDiscovery context, often to the dangerous exclusion of other forms of electronically stored information (ESI).

But, in 2011 we’ve now reached the tipping point – with 58 percent of respondents of the ESG survey expecting to manage social media applications as part of eDiscovery, more than double the 27 percent who did so in 2010.  That’s not only a massive increase in one year, but it also moves social media from a fringe element to a mainstream source of ESI.  When asked what types of social media applications would be the most relevant for eDiscovery, 79 percent of survey respondents named Facebook, followed by Twitter (64 percent) and LinkedIn (55 percent).

Similarly (and coincidentally), Applied Research and Symantec (who just acquired Clearwell) queried 1,225 senior enterprise IT professionals around the world in a Social Media Flash Poll.  In one of the main findings, the Flash Poll found that social media is extremely ubiquitous in the enterprise environment, with 45 percent of respondents using it for personal uses and 42 percent using it for business reasons.  Rating highly were a number of disparate social media devices including blogs, multimedia sharing, business forums and, of course, social networking – both personal (e.g., Facebook) and business (e.g., LinkedIn).

The impact on eDiscovery, while somewhat obvious, is nevertheless a significant challenge for many enterprises.

Initially, the increased use of social media intrinsically means that email isn’t likely to be the sole source of responsive information pertaining to a lawsuit (or governmental inquiry).  While this hasn’t really been the case for a while, it’s time for the attorneys scoping eDiscovery matters to face facts and abandon old school notions that email axiomatically equals eDiscovery.  For good or ill, our world of potentially responsive ESI simply isn’t that homogenous.

The Flash Poll also honed in on how this increased use of social media is impacting IT professionals.  While information governance concepts (compliance with regulations and retention polices – both at 45 percent) rated higher on their risk index, the management of eDiscovery was still a significant (and growing) concern at 37 percent.  And, while IT folks are increasingly concerned, it’s safe to say that their attorney counterparts (who have a heightened sense of risk profiling) are even more worried about the impact of social media on the already complex eDiscovery process.

So, what can be done in the face of this changing eDiscovery landscape that used to be dominated by email?  First and foremost, it’s imperative to understand your unique regulatory and legal requirements.  This facilitates the mapping of new social media technologies and content to the requisite policies that address data mapping and the retention of social media content, either in a proactive sense (i.e., archiving) or in a reactive sense (i.e., litigation hold).

As Glenn Close frighteningly said in her 1987 thriller, Fatal Attraction, “I will not be ignored.”  That warning fits the entire social media genre as it relates to eDiscovery in 2011.  And, just like ignoring Glenn Close, failing to pay proper attention to social media is done at significant peril to both IT professionals and attorneys alike.